News Archives

Saturday, June 30, 2018

Council of Europe Updates Convention 108

On May 18, following a process lasting seven years, the Council of Europe formally updated its Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108) via an amending Protocol, and issued an explanatory report on the new provisions.  The changes were prompted by new information and communication technologies, as well as by the need to strengthen the implementation components of the Convention.  According to the Council, the modernized convention “provides a robust and flexible multilateral legal framework to facilitate the flow of data across borders while providing effective safeguards when personal data are being used. It constitutes a bridge between different regions of the world and different normative frameworks.”  Fifty-three countries have adopted the legally binding international treaty, which is open to any country in the world as a unique global standard.  On June 29, Mexico became the 53rd country to accede to Convention 108.  Other non-European parties to the Convention include Uruguay, Senegal, Mauritius, Tunisia and Cabo Verde.

Wednesday, June 27, 2018

Complaints Under the GDPR Begin to Mount

Within hours of the General Data Protection Regulation coming into effect, Max Schrems and his non-profit advocacy group, None of Your Business, filed four complaints - one against Facebook, another two against its subsidiaries Instagram and WhatsApp, and a fourth against Google – all claiming that the tech companies coerced their users into accepting their terms and conditions.  The complaints were filed with DPAs in Austria, Belgium, France and Hamburg and could lead to fines of €7.6 billion.  Later in the month, the French advocacy group La Quadrature du Net filed similar charges with the French DPA against Facebook, Google, Apple, Amazon and LinkedIn.  Notably, this is the first time that non-profit organizations are asserting claims to represent data subjects under Article 80 of the GDPR, and also the first time that complaints have being filed in the data subjects’ member states rather than in a company’s European headquarters.

Other reports about complaints came from regulators and the International Association of Privacy Professionals.  Accordingly to a June 18 statement by Andrea Jelinek, Chair of the European Data Protection Board, she and her colleague DPAs are investigating 24 cross-border complaints involving forced consent. An IAPP survey of regulators found that as of June 25, some 2,944 complaints had been received by 15 DPAs since the GDPR came into effect.  However, a break-out of how many of these complaints related to new requirements under the GDPR was not available. 

Vietnam Adopts Restrictive Cybersecurity Law

On June 12, the Vietnamese Ministry of Information and Communications announced that the National Assembly had approved, by an overwhelming majority, a cybersecurity law designed to protect national security.  Amongst its provisions are requirements for companies providing telecom and internet services to users in Vietnam for data localization, the establishment of local headquarters and making information about users judged to be engaged in anti-state activities available to authorities.  Vietnam has one of Asia’s fastest growing digital economies, but companies such as Google and Facebook may need to cease operations there, since compliance would be incompatible with their global privacy policies. How the new requirements apply to other multi-national companies remains to be determined.  The new law comes into effect on January 1, 2019.

Thursday, June 14, 2018

LIBE Calls for Suspension of Privacy Shield

On June 11, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted, by 29 to 25, to ask the European Commission to suspend the EU-U.S. Privacy Shield framework unless the U.S. government meets its obligations under the framework by September 1.  A similar resolution was approved by the identical margin by the LIBE in March 2017.  Of particular concern to the LIBE was the non-functioning of the U.S. Privacy Civil Liberties Oversight Board (PCLOB), the failure to appoint a permanent Ombudsperson, and the recent adoption of the Clarifying Lawful Overseas Use of Data Act or CLOUD Act.  According to LIBE Chair Claude Moraes, “the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR."  The non-binding resolution will be taken up by the full Parliament in July; even if passed, as is likely, any decision about Privacy Shield will remain with the European Commission.